Chapter 9 - Establishing An Incident Response Capability

PURPOSE. This chapter provides the policies for responding to adverse events such as computer viruses, malicious software, hoaxes, vandalism, automated attacks, and intrusions. The purpose is to ensure appropriate action is taken to minimize the consequences of such adverse events and emergency response procedures and responsibilities are documented, understood, and properly executed when necessary. The Indian Health Service (IHS) Security Program is in compliance with Federal laws, regulations, and directives. The program communicates uniform policies for the protection and control of Information Technology (IT) resources directly or indirectly relating to the activities of the IHS.

BACKGROUND. The IHS recognized a need to augment its computer security efforts because of increased threats to critical cyber-based infrastructure systems. Incidents involving cyber threats, i.e., viruses, malicious user activity, and vulnerabilities associated with highly interconnected technology, require a skilled and rapid response before they can cause significant damage to computing resources, loss or destruction of data, loss of funds, loss of productivity, and damage to the IHS's reputation. These situations require that the IHS have a coordinated computer security incident response capability as an extension to its contingency planning process.

SCOPE. This chapter applies to all IHS organizational components including but not limited to Headquarters, Area Offices, and service units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT resources. The policies contained in this chapter apply to all IHS IT activities including the equipment, procedures, and technologies that are employed in managing these activities. The chapter is applicable to teleworking, travel, other off-site locations, and all IHS office locations. Agency officials shall apply this chapter to contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources. This chapter applies to computer security threats initiated by employees (e.g., misconduct) and external components.

Computer Security Incident. Any event that may result in or has resulted in the unauthorized access to or disclosure of sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents may include: the unauthorized use of another user’s account, unauthorized use of system privileges, execution of malicious code (e.g., viruses, Trojan horses, or back doors), unauthorized scans or probes, successful or unsuccessful intrusions, and insider attacks. Events such as natural disasters and power-related disruptions are not generally within the scope of Incident Response Teams (IRT) and should be addressed in the IHS’s business continuity and contingency plan.

Enterprise Infrastructure Management. Enterprise Infrastructure Management (EIM) is an operational IT management framework that will protect the IHS’s national IT operating infrastructure by restructuring management practices, procedures, and functional boundaries. The EIM will provide automated tools to reduce user and system administrator workload and increase system management capability.

Event. An event is any observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network.

POLICY. It is the policy of the IHS to ensure that its systems and data are safe and secure from unauthorized access that might lead to the alteration, damage, or destruction of automated resources and data, unintended release of data, interrupted service, and denial of service.

PROCEDURES. The following procedures shall be followed to ensure the protection and control of IT resources:

Incident Response Capability. The IHS shall have an incident response capability to handle virtually any computer security problem that occurs and have the means for reporting incidents and disseminating incident-related information to management and users. In addition, the incident response capability must not only react to incidents, but also must have the resources to alert and educate users to pertinent risks and heighten awareness about security threats and incident-handling procedures.

Incident Response Teams. The IHS shall establish IRTs to determine the nature and level of severity of a computer security problem, participate in the investigation, and resolve the incident. The IHS may have various types of computers and network systems. Each IRT shall:

have the specific technical skills to respond quickly to incidents in a particular environment and geographical location;

report incidents and their status to the IHS Chief Information Officer (CIO), and

keep the IHS CIO apprized of events as they unfold; and of ongoing investigations, and prepare a report of findings upon completion of the incident.

Reporting Notifications. Procedures for handling a variety of incidents and notifications shall be documented, including primary and secondary contacts for required reporting notifications, and shall require answers to questions that would permit the IRT to respond in a business-like manner.

Central Point of Contact. The IHS central point of contact is the CIO, Division of Information Resources, for required reporting of incidents, coordinating the Agency's response to an incident, and acting as a clearinghouse for disseminating information on alerts and vulnerabilities.

Enterprise Infrastructure Management Tools. Through the use of EIM tools, a report of computer incidents shall be submitted to the IHS Senior Information Systems Security Officer (ISSO) daily. Incidents involving substantial, systematic attacks or a significant loss of dollars, or damage to IHS property or image shall be reported to the following:

Events impacting operations shall be reported immediately to the IHS Senior ISSO, the IHS CIO, and the HHS Senior ISSO.

Contacts. Each IRT shall establish contacts with the OIG/CCU and FCIRC prior to an incident to establish a collaborative partnership and share information. These contacts are to be established at the outset; during the process of handling an incident there is not enough time to establish the correct contacts.

Violation of Law. If during the course of an investigation it appears possible that a violation of the law exists, the IHS IRT shall inform the IHS CIO, the HHS CIO, and the OIG/CCU, and submit an incident report to FCIRC with a copy to the IHS Senior ISSO.

Duties. The IHS IRT shall work with investigative agencies to determine: whether to gather evidence, monitor an intrusion, or allow an intrusion to continue; and which agencies shall assume jurisdiction in the incident.

Criminal Intent. If the IHS IRT reasonably believes that there was criminal intent involved in the incident or that reckless or negligent damage was caused resulting in costs to the Agency exceeding $5,000, the IHS IRT shall request that the OIG/CCU become involved. The OIG/CCU shall assume primary responsibility for investigating the alleged violation. The IHS IRT shall only be responsible for addressing the technical aspects of the case.

Employee, Contractor, or Other Misconduct. If the IHS IRT finds that employee, contractor, or other misconduct caused the incident, the IHS IRT shall request assistance from the OIG/CCU and the appropriate HR office or contractor representative. The OIG/CCU shall determine what actions need to be taken and be responsible for completing the investigation of the employee’s case in conjunction with other appropriate Departmental offices. The IHS IRT shall only be responsible for addressing the technical aspects of the case.

Resolved Incident. After the incident has been resolved, a “lessons learned” session shall be conducted so that the IHS IRT can learn from the experience and, if necessary, update its procedures. As a result of the post-incident analysis, the IHS IRT may need to issue alerts or warnings to its constituency about certain actions to take to reduce vulnerabilities that were exploited during the incident. Each IHS IRT shall use the post-incident analysis to ascertain its impact on the IHS as a result of handling and resolving the incident.

RESPONSIBILITIES. Information systems security responsibilities and accountability shall be explicit. The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of information systems shall be documented.

Chief Information Officer. The IHS CIO is responsible for the following:

Developing and disseminating information on the potential dangers of computer security incidents, guidelines for controlling them, and guidelines for reporting incidents.

Collecting and reviewing daily incident reports.

Ensuring appropriate procedures are developed and implemented, and instructions are issued for the detection and removal of malicious software.

Ensuring all IHS personnel are aware if this policy.

Ensuring this policy is incorporated into computer security briefings and training programs.

Serving as an IHS point-of-contact for incident reporting and subsequent resolution.

Ensuring automated daily incident reports for all computer-related incidents are sent to the HHS Senior ISSO through the use of the EIM tools.

System Administrator. The IHS system administrator is the person most often responsible for operational security for a subset of machines within the organizational component's site or facility. The system administrator can provide a wealth of information and often can detect many incidents in reviewing log files or observing something out of the ordinary in day-to-day processes. However, untrained system administrators have the potential to do great harm in an incident. Because of their level of access to systems, they can unknowingly alert intruders that they have been detected, destroy evidence, or even destroy system files in a frantic attempt to remove the intruder. All IHS system administrators shall do the following:

Receive training in security procedures and processes for the incident response capability, as specified in this chapter; operating systems used at their respective sites/facilities; and backup processes for Unix and Windows systems.

Participate in incident-response handling and reporting by notifying their respective ISSO and implementing the Incident Response Capability procedures contained in this chapter when an incident occurs.

Work closely with their ISSO, IRT, or other IHS Security Team to perform audits or penetration testings.

Establish appropriate logging mechanisms on all servers at the site/facility.

Use automated tools where possible to review and evaluate log files.

Detect incidents from the log files and report them immediately to the ISSO and appropriate supervisors.

Perform "backups" on a regular basis. Critical systems should be backed up at least daily. Backups will include verifying the functionality of the hardware, and the integrity and reliability of the backup media and offsite storage.

Conduct testing regularly to ensure the backup media is usable.

Ensure antivirus software and current updates are installed on every computing resource in the site/facility including desktops, personal digital assistants, servers, and e-mail gateways. E-mail gateways may run more than one brand of antivirus scanner due to the large number of attacks at this point of entry.

Ensure auditing and logging are enabled and sufficient.

Supervisors and Managers. Supervisors and managers shall ensure their staff (Federal and contractor) have an awareness of their security responsibilities for reporting any computer incidents and conveying initial incident reports.

Employees. Employees shall report any suspected or actual computer incidents immediately to their help desk support, IHS Senior ISSO, or other designated personnel.

Incident Response Teams. An IRT consists of a designated core group with as needed ad hoc expertise. The IRT shall participate in the investigation and resolution of incidents which include (but are not limited to) the following:

Unauthorized access or attempts.

Compromise of proprietary data using electronic means.

Computer misuse or abuse.

Loss of data or computer availability sufficient to cause mission or programmatic impact.

Vulnerability of hardware or software.

The IRT is responsible for the following:

Identifying computer security incidents, characterizing the nature and severity of the incident, and providing immediate diagnostic and corrective actions when appropriate.

Considering priorities in evaluating and responding to each incident (the incident may have many possible effects, ranging from the risk to human life and safety to protecting sensitive, proprietary and scientific data) and minimizing the disruption of computing resources.

Receiving incident reports from the intrusion detection system, pro-active scans, system administrators, law enforcement officials, and other sources.

Incidence Response Team members shall share knowledge by maintaining a report log. If a suspicion is confirmed or indeterminate, the IRT shall start an event log by noting the date and time of all actions, immediately taking a snapshot of the pertinent files of the incident investigation, and informing the IHS Senior ISSO, who shall notify the CIO.

Reporting all incidents to the appropriate individuals and organizations as described in Section 8-9.1H, "Procedures."

Preparing a report of findings and performing a post-incident review.

The Office of the Inspector General. The OIG/CCU is responsible for:

Promptly responding to all incidents where assistance has been requested or when notified that criminal acts have been perpetrated against IHS systems, and investigating incidents when appropriate.

Preserving, in conjunction with the system administrators, all materials, e.g., system logs, that are of evidentiary value for Federal, State, and local criminal prosecution and civil action.

Providing assistance to IT Security Officers, CIO(s), and other individuals in resolving questions of suspected criminal activity and other investigative policy questions and serving as the official liaison with the Department of Justice and other investigative agencies.